Groundrules on Complaining About Security

Groundrules on Complaining About Security

In this article, I want to lead into some other articles I’m working on. In those, I’m going to complain about security. But I want those complaints to be thoughtful and within a proper context.

You will hear many of us in security talk about threat models. Adam literally wrote the book on threat models and if you don’t have a copy, you should get one.

Threat models are a way of thinking about security in a somewhat rigorous way. Without some sort of threat model, you’re not really doing security.

Threat models sound complex, but they’re really not. We all do them intuitively all the time, and here’s the basic outline of how to make one. You want answers to these questions:

  1. What are you doing?
  2. What could go wrong?
  3. What are you doing about it?

Among the valuable things in Adam’s book, he talks about these and more, but these three simple questions frame how to talk about security no matter who you are. If you don’t have a threat model, you might be doing something useful, but it’s not really security.

If you are a maker of security, without a threat model you might have a solution in search of a problem. You might also have a stone soup security system, in which you throw a bunch of things in a pot, and while tasty (or secure), isn’t organized. There are many, many stone soup security systems out there.

If you’re going to use a security system, without a threat model you have no way to know if what you’re getting meets your needs.

If you’re challenging a security system, without a threat model, your criticisms may be true but irrelevant.

It is these latter two cases – deciding what security system to you and providing a critique of a security system – that I’m going to focus on, particularly since I’m going to be engaging in challenges, and people selecting a system also need to think about what their own threat model is when selecting a system. If you’re going to use a secuity system, a little bit of thought about what you expect it to do and what you expect it to protect you from is in required.

Let me move a bit away from computer security for a moment; analogies often help.

Let’s look at this statement:

  • Aspirin doesn’t cure cancer.

It’s true. Aspirin doesn’t cure cancer. It doesn’t do half-bad on headaches (with of course, a number of other qualifiers), but it doesn’t cure cancer.

However, if Alice says, “I’m going to go take an aspirin” and Bob says, “Aspirin doesn’t cure cancer,” he has implicitly assumed that her threat model is not:

  • I have a headache
  • I’m going to take an aspirin to cure it

but

  • I have cancer
  • I’m going to take an aspirin to cure it.

Even if Alice actually does have cancer, she might also have a headache. Especially if she has to deal with someone with simplisitic thinking like Bob. This is the sort of headache that got me to write this essay.

Getting back to security, while I was typing the first part of this, a friend and I started on a discussion. We started with wondering if since most front door locks are easily picked, does that mean that they’re just security theatre. The discussion then went into social value of locks (most people are honest, after all), the technological merits of Abloy locks, the expense of getting a good lock for all your doors, the human factors aspects of wanting one key for all your doors, the security problem of weak points from the porch to the windows, and then on to reinforcing hinges and even the front door itself. It was a fun discussion, but it wasn’t a good security discussion, it was security stone soup. The initial question of whether most door locks do anything was the pot of water with a stone in it and we kept adding in garnishes until we ended up with a tasty conversation. However, at no point did we discuss a threat model. We don’t know what we were trying to protect, what threats we were protecting it from, or anything that turns it into a real security discussion.

I think we were talking about a stereotypical threat of a burglar backing up a van to the house and carting off a lot of valuables, but I am just presuming that.

I know of what I speak in this issue of threat models because I’m guilty of it, too. It’s so easy to get caught up in security stone soup that it happened to me while I was writing an essay on threat models and security stone soup.

Now that I have a couple of ground rules in place as a preface, I will complain about security in my next essay.

On Immigration and Refugees

NewImage Sergey Brin and baby
The ban on refugees is illegal, immoral and un-American, and as an American, I want to add my voice.

The ban is illegal. (“Trump’s Immigration Ban Is Illegal.”) I suspect that the United States also has legal obligations under treaties to accept refugees, but Google isn’t my lawyer, and I am no expert.

The ban is immoral. Those who have gone through our immigration process and gotten green cards are being restricted from returning to the US. Those people have followed the legal path to immigration and built lives here. We made a deal with them and we’re breaking it, suddenly and without warning. Those people might have jobs, school, or family to return to, and their lives are upended and uncertain. These are not illegal aliens, they are people who have gone through a complex, and sometimes kafka-esque immigration process.

I have worked with engineers from Syria. (I’m not going to name them in today’s climate.) They did good work, and were good people. They were dealing with the horror of hearing family back home was missing, and they did good work anyway.

The President is hurting America with this ban. By telling those here legally that their status can be upended at a whim, he makes a strong argument against coming here by following the rules as they exist on a given day. Some people will continue to come here in violation of the law; others will go elsewhere, and another country will get both the risk and the reward from that set of refugees.

It’s worth noting that the protests and court orders yesterday, while welcome, “Despite growing dissent, Trump gives no sign of backing down from travel ban.” I guess we need to keep calling this what it is: un-American.

Pictured is John von Neumann, refugee, and inventor of the von Neumann architecture that’s at the heart of the computer on which you’re reading this, and Sergey Brin, co-founder of Google, on his way to protest in San Francisco.

[Update: The hawks at Lawfare blog have an analysis, Malevolence Tempered by Incompetence:.]

2017 and Tidal Forces

There are two great blog posts at Securosis to kick off the new year:

Both are deep and important and worth pondering. I want to riff on something that Rich said:

On the security professional side I have trained hundreds of practitioners on cloud security, while working with dozens of organizations to secure cloud deployments. It can take years to fully update skills, and even longer to re-engineer enterprise operations, even without battling internal friction from large chunks of the workforce…

It’s worse than that. Yesterday Recently on Emergent Chaos, I talked about Red Queen Races, where you have to work harder and harder just to keep up.

In the pre-cloud world, you could fully update your skills. You could be an expert on Active Directory 2003, or Checkpoint’s Firewall-1. You could generate friction over moving to AD2012. You no longer have that luxury. Just this morning, Amazon launched a new rev of something. Google is pushing a new rev of its G-Suite to 5% of customers. Your skillset with the prior release is now out of date. (I have no idea if either really did this, but they could have.) Your skillset can no longer be a locked-in set of skills and knowledge. You need the meta-skills of modeling and learning. You need to understand what your model of AWS is, and you need to allocate time and energy to consciously learning about it.

That’s not just a change for individuals. It’s a change for how organizations plan for training, and it’s a change for how we should design training, as people will need lots more “what’s new in AWS in Q1 2017” training to augment “intro to AWS.”

Tidal forces, indeed.

Kyber Crystal and the Death Star

Death star construction

This post has spoilers for Rogue One, and also Return of the Jedi.

We learn in Rogue One that the Death Star’s main gun is powered by Kyber crystal. We know from various sources that it’s rare.

Then the Death Star is tested, destroying Jedah, where they’re mining the crystals. Note that both times its fired, they give the order “single reactor ignition.” Are they testing the reactors and power systems, or conserving kyber crystal?

Really, how much “ammo” did the original Death Star have on board? How many times could they fire the main gun?

Was ten or fifteen shots considered sufficient, because after a demonstration, fear will keep the local systems in line? Where did they find enought kyber crystal for the second Death Star?

The Dope Cycle and the Two Minutes Hate

[Updated with extra links at the bottom.]

There’s a cycle that happens as you engage on the internet. You post something, and wait, hoping, for the likes, the favorites, the shares, the kind comments to come in. You hit reload incessantly even though the site doesn’t need it, hoping to get that hit that jolt even a little sooner. That dopamine release.

A Vicious cycle of pain, cravings, more drugs, and guilt

Site designers refer to this by benign names, like engagement or gamification and it doesn’t just happen on “social media” sites like Twitter or Instagram. It is fundamental to the structure of LinkedIn, of Medium, StackExchange, of Flickr. We are told how popular are the things we observe, and we are told to want that popularity. Excuse me, I mean that influence. That reach. And that brings me to the point of today’s post: seven tips to increase your social media impactfulness. Just kidding.

Not kidding: even when you know you’re being manipulated into wanting it, you want it. And you are being manipulated, make no mistake. Site designers are working to make your use of their site as pleasurable as possible, as emotionally engaging as possible. They’re caught up in a Red Queen Race, where they must engage faster and faster just to stay in place. And when you’re in such a race, it helps to steal as much as you can from millions of years of evolution. [Edit: I should add that this is not a moral judgement on the companies or the people, but rather an observation on what they must do to survive.] That’s dopamine, that’s adrenaline, that’s every hormone that’s been covered in Popular Psychology. It’s a dope cycle, and you can read that in every sense of the word dope.

This wanting is not innocent or harmless. Outrage, generating a stronger response,
wins. Sexy, generating a stronger response, wins. Cuteness, in the forms of awwws, wins. We are awash in messages crafted to generate strong emotion. More, we are awash in messages crafter to generate stronger emotion than the preceding or following message. This is not new. What is new is that the analytic tools available to its creators are so strong that the Red Queen Race is accelerating (by the way, that’s bait for outraged readers to insist I misunderstand the Red Queen Race, generating views for this post). The tools of 20th century outrage are crude and ineffective. Today’s outrage cycle over the House cancelling its cancellation of its ethics office is over, replaced by outrage over … well, it’s not year clear what will replace it, but expect it to be replaced.

When Orwell wrote of the Two Minutes Hate, he wrote:

The horrible thing about the Two Minutes Hate was not that one was obliged to act a part, but that it was impossible to avoid joining in. Within thirty seconds any pretense was always unnecessary. A hideous ecstasy of fear and vindictiveness, a desire to kill, to torture, to smash faces in with a sledge hammer, seemed to flow through the whole group of people like an electric current, turning one even against one’s will into a grimacing, screaming lunatic. And yet the rage that one felt was an abstract, undirected emotion which could be switched from one object to another like the flame of a blowlamp.

I am reminded of Hoder’s article, “The Web We Have to Save” (4.4K hearts, 165 balloons, and no easy way to see on Medium how many sites link to it). Also of related interest is Good-bye to All That Twitter and “Seattle author Lindy West leaves Twitter, calls it unusable for ‘anyone but trolls, robots and dictators’” but I don’t think Twitter, per se, is the problem. Twitter has a number of aspects which make trolling (especially around gender and race issues, but not limited to them) especially emotionally challenging. Those are likely closely tied to the anticipation of positivity in “mentions”, fulfilled by hate. But the issues are made worse by site design that successfully increases engagement.

I don’t know what to do with this observation. I have tried to reduce use of sites that use the structures of engagement: removing them from my reading in the morning, taking their apps off my phone. But I find myself typing their URLs when I’m task switching. I am reluctant to orient around addiction, as it drags with it a great deal of baggage around free will and ineffective regulation.

But removing myself from Twitter doesn’t really address the problem of the two minutes hate, nor of the red queen race of dope cycles. I’d love to hear your thoughts on what to do about them.


[Update: Related, “Hacking the Attention Economy,” by danah boyd.]

[Update (8 Feb): Hunter Walk writes “Why Many Companies Mistakingly Think Trolls & Harassment Are Good for Business,” and I’d missed Tim Wu writing on “The Attention Merchants.”]

Rogue One: The Best Star Wars Yet?

NewImageSomeone once asked me why I like Star Wars more than Star Trek. I was a bit taken aback, and he assumed that since I use it so much, I obviously prefer it. The real reason I use Star Wars is not that it’s better, but that there’s a small canon, and I don’t have to interrupt the flow of a talk to explain the scene where Darth Vader is strangling someone. But let’s face it, Star Trek was often better as science fiction. There are four or five bright lights that rank up there as some of the very best storytelling of the last few decades.

Trek at its most poignant was a transparent mirror to the world. The original series commented on Vietnam and race repeatedly in ways which let people see another way of looking at a situation. Moral nuance is easier to see when the ox being gored isn’t yours.

Rogue One is the first Star Wars with moral complexity. If you haven’t seen it, I find your lack of faith…disturbing. But when there’s a guy who cost you your limbs, your children, and threw the galaxy into civil war, throwing him in the reactor core isn’t a very complex choice. In fact, the whole “dark side” is a bit of a giveaway. In case you miss that, the Jedi were guardians of peace and justice throughout the galaxy. Are we clear yet? No? How about the Nazi uniforms? I could go on, but we’re gonna get to spoilers. My point is, the first four films were great action movies. Maybe we’ll see some moral complexity when someone finally gets around to filming the tragic fall of Anakin Skywalker, reputedly the core story of I-III. But I’m betting they’ll be action movies with talking teddy bears for the kids.

Speaking of morality, if you’re just now noticing that your political world resembles the Empire’s, or if you’re angry that the script seems to mock your party…maybe you should look at your world through that mirror and ask if you’re on the right side of morality or history. After all, that’s what makes for great science fiction. The opportunity to see the world through a new lens. And the fact is, the story was not substantially re-written. “Rogue One’s Discarded Dialog” and See 46 shots that were cut from Rogue One” show a story with a little less character, a little more army, but not a sympathetic, racially and species-diverse Empire. The movie wasn’t re-written as a commentary on 2016.

Structurally, Rogue One is a war story, not an action story. It’s not about the hero’s journey, or Luke growing up. It’s a story about the chaos that follows a civil war, and it’s messy and has characters who make choices from a set of bad options.

When Cassian shoots the fellow so he can escape at the start? Galen Erso’s decision to work on the Death Star, delay it, and insert a flaw (or two?) These are perhaps the wrong choices in bad situations. We don’t see why Saw Gerrera and the Rebel Alliance split. We see the Rebellion at its worst — unable to take action in the face of imminent destruction, and then impulsively chasing Rogue One into battle. (What Rogue One Teaches Us About the Rebel Alliance’s Military Chops is a great dissection of this.)

But we can look to Galen Erso’s decision to work on the Death Star, and have a conversation about what he should have done. Gone to a labor camp and let someone else build it with a better reactor core? What if that someone else had put more shielding over the thermal exhaust ports? (Speaking of which, don’t miss “The Death Star Architect Speaks Out,” and perhaps even my commentary, “Governance Lessons from the Death Star Architect.” I think the governance questions are even more interesting now, if the Empire were to conduct a blameless post mortem, but we know they don’t.) We can use that decision to talk, abstractly, about taking a job in the Trump Administration with less of the horrible emotional weight that that carries.

That mirror on the world is what great science fiction offers us, and that’s what makes Rouge One the best Star Wars yet.

Yahoo! Yippee? What to Do?

[Dec 20 update: The first draft of this post ended up with both consumer and enterprise advice, which made it complex. The enterprise half is now on the IANS blog: Never Waste a Good Crisis: Yahoo Edition.]

Yesterday, Yahoo disclosed that attackers broke into Yahoo in 2013 and stole details on a billion accounts. Brian Krebs summarizes what was taken, and also has a more general FAQ.

The statement says that for “potentially affected accounts, the stolen user account information may have included names, email addresses, telephone numbers, dates of birth, hashed passwords (using MD5) and, in some cases, encrypted or unencrypted security questions and answers.”

Yahoo says users should change their passwords and security questions and answers for any other accounts on which they used the same or similar information used for their Yahoo account.

The New York Times has an article “How Many Times Has Your Personal Information Been Exposed to Hackers?

The big question is “How can you protect yourself in the future?” The Times is right to ask it, and their answer starts:

It’s pretty simple: You can’t. But you can take a few steps to make things harder for criminals. Turn on two-factor authentication, whenever possible. Most banking sites and ones like Google, Apple, Twitter and Facebook offer two-factor authentication. Change your passwords frequently and do not use the same password across websites.

I think the Times makes two important “mistakes” in this answer. [Update: I think mistake may be harsher than I mean: I wish they’d done differently.]

The first mistake is to not recommend a password manager. Using a password manager is essential to using a different password on each website. I use 1Password, and recommend it. I also use it to generate random answers to “security questions” and use 1Password’s label/data fields to store those. I do hope that one day they start managing secret questions, but understand that that’s tricky because secret questions are not submitted to the web with standard HTML form names.

The reason I recommend 1Password is that it works well without the cloud, and that means that a cloud provider cannot disclose my passwords. They also can’t disclose my encrypted passwords, where encrypting them is a mitigation for that first-layer information disclosure threat. (One of these days I should write up my complete password manager threat model.) These threats are important and concrete. 1Password competitor Lastpass has repeatedly messed this up, and those problems are made worse by their design of mandatory centralization.

It’s not to say that 1Password is perfect. Tavis Ormandy has said “More password manager bugs out today and more due out soon. I’m not going to look at more, the whole industry is crazy,” and commented on 1Password with a GIF. Some of those issues have now been revealed. (Tavis is very, very good at finding security flaws, and this worries me a bit.)

But: authentication is hard. You must make a risk tradeoff. The way I think about the risk tradeoff is:

  • If I use a single password, it’s easily compromised in many places. (Information disclosure threats at each site, and in my browser.)
  • If I use a paper list, an attacker who compromises my browser can likely steal most of my passwords.
  • If I use a cloud list, an attacker who breaks into that cloud can steal the list. If the list is encrypted, then they can still attack it offline. If the cloud design either sends my master password to the cloud, or javascript to the client, then my master password is vulnerable to an attacker who has broken into the cloud.
  • If I use a paper list, I can’t back it up easily. (My backups are on my phone, and in a PGP encrypted file on a cloud provider.)

So 1Password is the least bad of currently available options, and the Times should have put a stake in the ground on the subject. (Or perhaps their new “Wirecutter” division should take a look. Oh wait! They did. I disagree with their assessment, as stated above.)

The second big mistake is to assert that you can’t fully protect yourself in a simple, declarative sentence at the end of their answer. What’s that you say? It’s not the end of their answer? But it is. In today’s short attention-span world, you see those words and stop. You move on. It’s important that security advice be actionable.

So: use a password manager. Lie in your answers to “secret questions.” Tell different sites different lies. Use a password manager to remember them.

Seeing the Big Picture

This quote from Bob Iger, head of Disney, is quite interesting for his perspective as a leader of a big company:

There is a human side to it that I try to apply and consider. [But] the harder thing is to balance with the reality that not everything is perfect. In the normal course of running a company this big, you’re going to see, every day, things that are not as great as you would have hoped or wanted them to be. You have to figure out how to absorb that without losing your sense of optimism, which is part of leadership — without losing faith, without wanting to go under the covers and not come out, without being down or angry to a counterproductive level, and without demanding something of people that is unfair, inhuman, impossible. (“Bob Iger on Shanghai Disney, Parting With His Chosen Successor, and His Pursuit of Perfection“, Variety)

Note that he’s not saying ignore the problems; he’s not saying don’t get angry; he’s not saying don’t demand improvement. He’s saying don’t get so angry that it’s counterproductive. He’s saying be demanding, but be demanding in a fair way. He’s also saying that you can remain optimistic in the face of problems.

There’s lessons here for security professionals.